summaryrefslogtreecommitdiff
path: root/server
diff options
context:
space:
mode:
Diffstat (limited to 'server')
-rw-r--r--server/man/sssd-krb5.5.xml26
-rw-r--r--server/man/sssd-ldap.5.xml66
-rw-r--r--server/man/sssd.conf.5.xml325
3 files changed, 193 insertions, 224 deletions
diff --git a/server/man/sssd-krb5.5.xml b/server/man/sssd-krb5.5.xml
index 234b194a..4de89919 100644
--- a/server/man/sssd-krb5.5.xml
+++ b/server/man/sssd-krb5.5.xml
@@ -46,7 +46,7 @@
for details on the configuration of a SSSD domain.
<variablelist>
<varlistentry>
- <term>krb5KDCIP (string)</term>
+ <term>krb5_kdcip (string)</term>
<listitem>
<para>
Specifies the IP address of the Kerberos server.
@@ -55,7 +55,7 @@
</varlistentry>
<varlistentry>
- <term>krb5REALM (string)</term>
+ <term>krb5_realm (string)</term>
<listitem>
<para>
The name of the Kerberos realm.
@@ -64,7 +64,7 @@
</varlistentry>
<varlistentry>
- <term>krb5try_simple_upn (boolean)</term>
+ <term>krb5_try_simple_upn (boolean)</term>
<listitem>
<para>
Set this option to 'true'
@@ -78,7 +78,7 @@
</varlistentry>
<varlistentry>
- <term>krb5changepw_principle (string)</term>
+ <term>krb5_changepw_principle (string)</term>
<listitem>
<para>
The priciple of the change password service.
@@ -93,7 +93,7 @@
</varlistentry>
<varlistentry>
- <term>krb5ccache_dir (string)</term>
+ <term>krb5_ccachedir (string)</term>
<listitem>
<para>
Directory to store credential caches.
@@ -105,7 +105,7 @@
</varlistentry>
<varlistentry>
- <term>krb5ccname_template (string)</term>
+ <term>krb5_ccname_template (string)</term>
<listitem>
<para>
Location of the user's credential cache. Currently
@@ -163,7 +163,7 @@
</varlistentry>
<varlistentry>
- <term>krb5auth_timeout (integer)</term>
+ <term>krb5_auth_timeout (integer)</term>
<listitem>
<para>
Timeout in seconds after an online authentication or
@@ -185,14 +185,16 @@
<para>
The following example assumes that SSSD is correctly
configured and FOO is one of the domains in the
- <replaceable>[domains]</replaceable> section.
+ <replaceable>[sssd]</replaceable> section. This example shows
+ only configuration of Kerberos authentication, it does not include
+ any identity provider.
</para>
<para>
<programlisting>
- [domains/FOO]
- auth-module = krb5
- krb5KDCIP = 192.168.1.1
- krb5REALM = EXAMPLE.COM
+ [domain/FOO]
+ auth_provider = krb5
+ krb5_kdcip = 192.168.1.1
+ krb5_realm = EXAMPLE.COM
</programlisting>
</para>
</refsect1>
diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml
index 176849a7..4c7e07b6 100644
--- a/server/man/sssd-ldap.5.xml
+++ b/server/man/sssd-ldap.5.xml
@@ -49,7 +49,7 @@
<variablelist>
<varlistentry>
- <term>ldapUri (string)</term>
+ <term>ldap_uri (string)</term>
<listitem>
<para>
Specifies the URI of the LDAP server to which
@@ -62,7 +62,7 @@
</varlistentry>
<varlistentry>
- <term>ldapSchema (string)</term>
+ <term>ldap_schema (string)</term>
<listitem>
<para>
Specifies the Schema Type in use on the target LDAP
@@ -91,7 +91,7 @@
</varlistentry>
<varlistentry>
- <term>defaultBindDn (string)</term>
+ <term>ldap_default_bind_dn (string)</term>
<listitem>
<para>
The default bind DN to use for
@@ -101,7 +101,7 @@
</varlistentry>
<varlistentry>
- <term>defaultAuthtokType (string)</term>
+ <term>ldap_default_authtok_type (string)</term>
<listitem>
<para>
The type of the authentication token of the
@@ -112,7 +112,7 @@
</varlistentry>
<varlistentry>
- <term>defaultAuthtok (string)</term>
+ <term>ldap_default_authtok (string)</term>
<listitem>
<para>
The authentication token of the default bind DN.
@@ -122,7 +122,7 @@
</varlistentry>
<varlistentry>
- <term>userSearchBase (string)</term>
+ <term>ldap_user_search_base (string)</term>
<listitem>
<para>
The default base DN to use for
@@ -132,7 +132,7 @@
</varlistentry>
<varlistentry>
- <term>userObjectClass (string)</term>
+ <term>ldap_user_object_class (string)</term>
<listitem>
<para>
The object class of a user entry in LDAP.
@@ -144,7 +144,7 @@
</varlistentry>
<varlistentry>
- <term>userName (string)</term>
+ <term>ldap_user_name (string)</term>
<listitem>
<para>
The LDAP attribute that corresponds to
@@ -157,7 +157,7 @@
</varlistentry>
<varlistentry>
- <term>userUidNumber (string)</term>
+ <term>ldap_user_uid_number (string)</term>
<listitem>
<para>
The LDAP attribute that corresponds to
@@ -170,7 +170,7 @@
</varlistentry>
<varlistentry>
- <term>userGidNumber (string)</term>
+ <term>ldap_user_gid_number (string)</term>
<listitem>
<para>
The LDAP attribute that corresponds to
@@ -183,7 +183,7 @@
</varlistentry>
<varlistentry>
- <term>userGecos (string)</term>
+ <term>ldap_user_gecos (string)</term>
<listitem>
<para>
The LDAP attribute that corresponds to
@@ -196,7 +196,7 @@
</varlistentry>
<varlistentry>
- <term>userHomeDirectory (string)</term>
+ <term>ldap_user_home_directory (string)</term>
<listitem>
<para>
The LDAP attribute that contains the name of the
@@ -209,7 +209,7 @@
</varlistentry>
<varlistentry>
- <term>userShell (string)</term>
+ <term>ldap_user_shell (string)</term>
<listitem>
<para>
The LDAP attribute that contains the path of the
@@ -222,7 +222,7 @@
</varlistentry>
<varlistentry>
- <term>userUUID (string)</term>
+ <term>ldap_user_uuid (string)</term>
<listitem>
<para>
The LDAP attribute that contains the UUID/GUID of
@@ -235,7 +235,7 @@
</varlistentry>
<varlistentry>
- <term>userPrincipal (string)</term>
+ <term>ldap_user_principal (string)</term>
<listitem>
<para>
The LDAP attribute that contains the Kerberos
@@ -248,7 +248,7 @@
</varlistentry>
<varlistentry>
- <term>force_upper_case_realm (boolean)</term>
+ <term>ldap_force_upper_case_realm (boolean)</term>
<listitem>
<para>
Some directory servers, for example Active Directory,
@@ -264,7 +264,7 @@
</varlistentry>
<varlistentry>
- <term>userFullname (string)</term>
+ <term>ldap_user_fullname (string)</term>
<listitem>
<para>
The LDAP attribute that corresponds to
@@ -277,7 +277,7 @@
</varlistentry>
<varlistentry>
- <term>userMemberOf (string)</term>
+ <term>ldap_user_member_of (string)</term>
<listitem>
<para>
The LDAP attribute that list the user's
@@ -290,7 +290,7 @@
</varlistentry>
<varlistentry>
- <term>groupSearchBase (string)</term>
+ <term>ldap_group_search_base (string)</term>
<listitem>
<para>
The default base DN to use for
@@ -300,7 +300,7 @@
</varlistentry>
<varlistentry>
- <term>groupObjectClass (string)</term>
+ <term>ldap_group_object_class (string)</term>
<listitem>
<para>
The object class of a group entry in LDAP.
@@ -312,7 +312,7 @@
</varlistentry>
<varlistentry>
- <term>groupName (string)</term>
+ <term>ldap_group_name (string)</term>
<listitem>
<para>
The LDAP attribute that corresponds to
@@ -325,7 +325,7 @@
</varlistentry>
<varlistentry>
- <term>groupGidNumber (string)</term>
+ <term>ldap_group_gid_number (string)</term>
<listitem>
<para>
The LDAP attribute that corresponds to
@@ -338,7 +338,7 @@
</varlistentry>
<varlistentry>
- <term>groupMember (string)</term>
+ <term>ldap_group_member (string)</term>
<listitem>
<para>
The LDAP attribute that contains the names of
@@ -351,7 +351,7 @@
</varlistentry>
<varlistentry>
- <term>groupUUID (string)</term>
+ <term>ldap_group_uuid (string)</term>
<listitem>
<para>
The LDAP attribute that contains the UUID/GUID of
@@ -364,7 +364,7 @@
</varlistentry>
<varlistentry>
- <term>network_timeout (integer)</term>
+ <term>ldap_network_timeout (integer)</term>
<listitem>
<para>
Specifies the timeout (in seconds) after which
@@ -390,7 +390,7 @@
</varlistentry>
<varlistentry>
- <term>opt_timeout (integer)</term>
+ <term>ldap_opt_timeout (integer)</term>
<listitem>
<para>
Specifies a timeout (in seconds) after which
@@ -404,7 +404,7 @@
</varlistentry>
<varlistentry>
- <term>tls_reqcert (string)</term>
+ <term>ldap_tls_reqcert (string)</term>
<listitem>
<para>
Specifies what checks to perform on server
@@ -455,10 +455,14 @@
</para>
<para>
<programlisting>
- [domains/LDAP]
- auth-module = ldap
- ldapUri = ldap://ldap.mydomain.org
- userSearchBase = dc=mydomain,dc=org
+ [domain/LDAP]
+ id_provider = ldap
+ auth_provider = ldap
+ ldap_uri = ldap://ldap.mydomain.org
+ ldap_user_search_base = dc=mydomain,dc=org
+ ldap_tls_reqcert = demand
+ cache_credentials = true
+ enumerate = true
</programlisting>
</para>
</refsect1>
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml
index 83129eeb..62d0c2b4 100644
--- a/server/man/sssd.conf.5.xml
+++ b/server/man/sssd.conf.5.xml
@@ -53,16 +53,18 @@
<title>SPECIAL SECTIONS</title>
<refsect2 id='services'>
- <title>The [services] section</title>
+ <title>The [sssd] section</title>
<para>
Individual pieces of SSSD functionality are provided by special
SSSD services that are started and stopped together with SSSD.
- The services are managed by a special service called
- <quote>monitor</quote>.
+ The services are managed by a special service frequently called
+ <quote>monitor</quote>. The <quote>[sssd]</quote> section is used
+ to configure the monitor as well as some other important options
+ like the identity domains.
<variablelist>
<title>Section parameters</title>
<varlistentry>
- <term>activeServices</term>
+ <term>services</term>
<listitem>
<para>
Comma separated list of services that are
@@ -91,121 +93,65 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>domains</term>
+ <listitem>
+ <para>
+ A domain is a database containing user
+ information. SSSD can use more domains
+ at the same time, but at least one
+ must be configured or SSSD won't start.
+ This parameter described the list of domains
+ in the order you want them to be queried.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>re_expression (string)</term>
+ <listitem>
+ <para>
+ Regular expression that describes how to parse the string
+ containing user name and domain into these components.
+ </para>
+ <para>
+ Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote>
+ which translates to "the name is everything up to the
+ <quote>@</quote> sign, the domain everything after that"
+ </para>
+ <para>
+ PLEASE NOTE: the support for non-unique named
+ subpatterns is not available on all plattforms
+ (e.g. RHEL5 and SLES10). Only plattforms with
+ libpcre version 7 or higher can support non-unique
+ named subpatterns.
+ </para>
+ <para>
+ PLEASE NOTE ALSO: older version of libpcre only
+ support the Python syntax (?P&lt;name&gt;) to label
+ subpatterns.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>full_name_format (string)</term>
+ <listitem>
+ <para>
+ A <citerefentry>
+ <refentrytitle>printf</refentrytitle>
+ <manvolnum>3</manvolnum>
+ </citerefentry>-compatible format that describes how to
+ translate a (name, domain) tuple into a fully qualified
+ name.
+ </para>
+ <para>
+ Default: <quote>%1$s@%2$s</quote>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
</refsect2>
- <refsect2 id='domains'>
- <title>The [domains] section</title>
- <para>
- A domain is a database containing user information. SSSD can
- use more domains at the same time, but at least one must
- be configured or SSSD won't start.
- </para>
- <variablelist>
- <title>Section parameters</title>
- <varlistentry>
- <term>domains</term>
- <listitem>
- <para>
- The list of domains in the order you want them
- to be queried
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect2>
-
- <refsect2 id='names'>
- <title>The [names] section</title>
- <para>
- This section allows to configure how a name, or a fully qualified
- name looks like. These settings are used by both the PAM and NSS
- responders.
- </para>
- <variablelist>
- <title>Section parameters</title>
- <varlistentry>
- <term>re-expression (string)</term>
- <listitem>
- <para>
- Regular expression that describes how to parse the string
- containing user name and domain into these components.
- </para>
- <para>
- Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote>
- which translates to "the name is everything up to the
- <quote>@</quote> sign, the domain everything after that"
- </para>
- <para>
- PLEASE NOTE: the support for non-unique named
- subpatterns is not available on all plattforms
- (e.g. RHEL5 and SLES10). Only plattforms with
- libpcre version 7 or higher can support non-unique
- named subpatterns.
- </para>
- <para>
- PLEASE NOTE ALSO: older version of libpcre only
- support the Python syntax (?P&lt;name&gt;) to label
- subpatterns.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>full-name-format (string)</term>
- <listitem>
- <para>
- A <citerefentry>
- <refentrytitle>printf</refentrytitle>
- <manvolnum>3</manvolnum>
- </citerefentry>-compatible format that describes how to
- translate a (name, domain) tuple into a fully qualified
- name.
- </para>
- <para>
- Default: <quote>%1$s@%2$s</quote>.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect2>
-
- <refsect2 id='user_defaults'>
- <title>The [user_defaults] section</title>
- <para>
- This section contains settings that alter default values used
- when adding a user with SSSD userspace tools (sss_useradd).
- </para>
- <variablelist>
- <title>Section parameters</title>
- <varlistentry>
- <term>defaultShell (string)</term>
- <listitem>
- <para>
- The default shell for users created
- with SSSD userspace tools.
- </para>
- <para>
- Default: <filename>/bin/bash</filename>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>baseDirectory (string)</term>
- <listitem>
- <para>
- The tools append the login name to
- <replaceable>baseDirectory</replaceable> and
- use that as the home directory.
- </para>
- <para>
- Default: <filename>/home</filename>
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect2>
-
</refsect1>
<refsect1 id='services-sections'>
@@ -213,8 +159,8 @@
<para>
Settings that can be used to configure different services
are described in this section. They should reside in the
- [services/<replaceable>NAME</replaceable>] section, for example,
- for NSS service, the section would be <quote>[services/nss]</quote>
+ [<replaceable>$NAME</replaceable>] section, for example,
+ for NSS service, the section would be <quote>[nss]</quote>
</para>
<refsect2 id='general'>
@@ -224,7 +170,7 @@
</para>
<variablelist>
<varlistentry>
- <term>debug-level (integer)</term>
+ <term>debug_level (integer)</term>
<listitem>
<para>
Sets the debug level for the service. The
@@ -277,19 +223,7 @@
</para>
<variablelist>
<varlistentry>
- <term>sbusAddress (string)</term>
- <listitem>
- <para>
- The services in sssd communicate over an internal
- wrapper on top of D-Bus called S-Bus. This
- directive can be used to specify the address
- to connect to. The vast majority of configurations
- will not need to change this setting.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>sbusTimeout (string)</term>
+ <term>sbus_timeout (string)</term>
<listitem>
<para>
Specifies the timeout for messages sent over the SBUS.
@@ -311,7 +245,7 @@
</para>
<variablelist>
<varlistentry>
- <term>EnumCacheTimeout (integer)</term>
+ <term>enum_cache_timeout (integer)</term>
<listitem>
<para>
How long should nss_sss cache enumerations
@@ -323,7 +257,7 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>EntryCacheTimeout (integer)</term>
+ <term>entry_cache_timeout (integer)</term>
<listitem>
<para>
How long should nss_sss cache positive cache hits
@@ -336,7 +270,7 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>EntryCacheNoWaitRefreshTimeout (integer)</term>
+ <term>entry_cache_nowait_timeout (integer)</term>
<listitem>
<para>
How long should nss_sss return cached entries before
@@ -349,7 +283,7 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>EntryNegativeTimeout (integer)</term>
+ <term>entry_negative_timeout (integer)</term>
<listitem>
<para>
How long should nss_sss cache negative cache hits
@@ -362,17 +296,20 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>filterUsers, filterGroups (string)</term>
+ <term>filter_users, filter_groups (string)</term>
<listitem>
<para>
Exclude certain users from being fetched from the sss
NSS database. This is particulary useful for system
- accounts like root.
+ accounts.
+ </para>
+ <para>
+ Default: root
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>filterUsersInGroups (bool)</term>
+ <term>filter_users_in_groups (bool)</term>
<listitem>
<para>
If you want filtered user still be group members
@@ -392,17 +329,17 @@
<para>
These configuration options can be present in a domain
configuration section, that is, in a section called
- <quote>[domains/<replaceable>NAME</replaceable>]</quote>
+ <quote>[domain/<replaceable>NAME</replaceable>]</quote>
<variablelist>
<varlistentry>
- <term>minId,maxId (integer)</term>
+ <term>min_id,max_id (integer)</term>
<listitem>
<para>
UID limits for the domain. If a domain contains
entry that is outside these limits, it is ignored
</para>
<para>
- Default: 0 (no limit)
+ Default: 1000 for min_id, 0 (no limit) for max_id
</para>
</listitem>
</varlistentry>
@@ -422,7 +359,7 @@
</varlistentry>
<varlistentry>
- <term>magicPrivateGroups (bool)</term>
+ <term>magic_private_groups (bool)</term>
<listitem>
<para>
By using the Magic Private Groups option, you
@@ -482,7 +419,7 @@
</varlistentry>
<varlistentry>
- <term>cache-credentials (bool)</term>
+ <term>cache_credentials (bool)</term>
<listitem>
<para>
Determines if user credentials are also cached
@@ -495,7 +432,7 @@
</varlistentry>
<varlistentry>
- <term>store-legacy-passwords (bool)</term>
+ <term>store_legacy_passwords (bool)</term>
<listitem>
<para>
Whether to also store passwords in a legacy domain
@@ -507,10 +444,11 @@
</varlistentry>
<varlistentry>
- <term>provider (string)</term>
+ <term>id_provider (string)</term>
<listitem>
<para>
- The Data Provider backend to use for this domain.
+ The Data Provider identity backend to use for this
+ domain.
</para>
<para>
Supported backends:
@@ -528,7 +466,7 @@
</varlistentry>
<varlistentry>
- <term>useFullyQualifiedNames (bool)</term>
+ <term>use_fully_qualified_names (bool)</term>
<listitem>
<para>
If set to TRUE, all requests to this domain
@@ -544,11 +482,11 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>auth-module (string)</term>
+ <term>auth_provider (string)</term>
<listitem>
<para>
- The authentication module used for the domain.
- Supported auth modules are:
+ The authentication provider used for the domain.
+ Supported auth providers are:
</para>
<para>
<quote>ldap</quote> for native LDAP authentication. See
@@ -577,7 +515,7 @@
<variablelist>
<varlistentry>
- <term>pam-target (string)</term>
+ <term>proxy_pam_target (string)</term>
<listitem>
<para>
The proxy target PAM proxies to.
@@ -589,7 +527,7 @@
</varlistentry>
<varlistentry>
- <term>libName (string)</term>
+ <term>proxy_lib_name (string)</term>
<listitem>
<para>
The name of the NSS library to use in proxy
@@ -602,6 +540,44 @@
</varlistentry>
</variablelist>
</para>
+
+ <refsect2 id='local_domain'>
+ <title>The local domain section</title>
+ <para>
+ This section contains settings for domain that stores users and
+ groups in SSSD native database, that is, a domain that uses
+ <replaceable>id_provider=local</replaceable>.
+ </para>
+ <variablelist>
+ <title>Section parameters</title>
+ <varlistentry>
+ <term>default_shell (string)</term>
+ <listitem>
+ <para>
+ The default shell for users created
+ with SSSD userspace tools.
+ </para>
+ <para>
+ Default: <filename>/bin/bash</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>base_directory (string)</term>
+ <listitem>
+ <para>
+ The tools append the login name to
+ <replaceable>base_directory</replaceable> and
+ use that as the home directory.
+ </para>
+ <para>
+ Default: <filename>/home</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
</refsect1>
<refsect1 id='example'>
@@ -611,39 +587,26 @@
not describe configuration of the domains themselves - refer to
documentation on configuring domains for more details.
<programlisting>
-[services]
-description = Local Service Configuration
-activeServices = nss, pam
-reconnection_retries = 3
-
-[services/nss]
-description = NSS Responder Configuration
-filterGroups = root
-filterUsers = root
-debug-level = 4
-
-[services/dp]
-description = Data Provider Configuration
-debug-level = 4
+[sssd]
+domains = LOCAL
+services = nss, dp, pam
+config_file_version = 2
+sbus_timeout = 30
-[services/pam]
-description = PAM Responder Configuration
+[nss]
+filter_groups = root
+filter_users = root
-[services/monitor]
-description = Service Monitor Configuration
+[pam]
-[domains]
-description = Domains served by SSSD
-domains = LOCAL
+[dp]
-[domains/LOCAL]
-description = LOCAL Users domain
-enumerate = TRUE
-minId = 5000
-maxId = 30000
-legacy = FALSE
-magicPrivateGroups = TRUE
-provider = local
+[domain/LOCAL]
+id_provider = local
+min_id = 1000
+max_id = 5000
+default_shell = /bin/ksh
+enumerate = true
</programlisting>
</para>
</refsect1>